With GDPR coming into full effect in little over a year, companies should be making real inroads into their preparation. But businesses are not acting as quickly as they should be, and are leaving compliance until the last minute. We look at the six areas companies should be looking at on their road to achieving compliance.
Mandatory data inventorising and record keeping of all processing of European personal data
IDC analyst Duncan Brown says that this is something a well-run company will be doing anyway but it’s clear that while some have, there are plenty of others that are still to get going.
Adding to this and David Kemp, EMEA specialist business consultant for Micro Focus, believes companies should first look to reduce the data lake. Companies have got too much data, some going back years, held across a variety of systems.
“Companies should see this as an advantage,” he says. “Some have wanted to do this for years; it’s costing money for storage.”
Mandatory data breach notification to regulators and individuals
The data breach notification is one of the most dramatic changes engendered by GDPR. The important thing, explains Brown, is that this notification is no later than 72 hours after the breach has been discovered. The data controller (the company subjected to the data notification obligation) must report the security breach within this short time-frame, and it’s a huge challenge.
“The industry average for breach discovery is 200 days,” he says, “that’s two thirds of the year that someone’s on your system.”
Brown says GDPR gives good guidance here. “Companies, therefore, should set systems in place to detect breaches quickly and have an incident response plan. The other requirement is to notify data subjects…it’s important to talk to customers and you may want to do that even before talking to the regulator.”
These requirements highlight another issue: the inadequacy of security tools. Companies have invested heavily in security, but there’s one major problem. “Most companies have bought the best they can afford but they don’t talk to each other: they’re poorly integrated.” says Brown.
To get on top of GDPR requirements, companies should be looking to integrate security tools. “The range of the products is now a risk to the business and already we’re seeing companies refusing to buy security products until they can be integrated,” adds Brown.
The right to be forgotten (which allows individuals to request that their personal data be erased)
In 2014, the European Court of Justice ordered Google to delete specific references to a EU citizen under the so-called ‘right to be forgotten’. A Spanish man, Mario Costeja Gonzalez, argued that the search giant held information on him which had a negative impact on his business activity. Google refused, saying it was not a data controller (the negative article was hosted on a publication’s website), and that the information (an auction notice) was publicly available. Google lost and faced thousands of RTBF requests as a result.
This right (also known as the ‘right to erasure’) already exists under existing EU data protection laws and is now a vital element under GDPR, says Judith Vieberink, attorney with the Netherlands-based First Lawyers.
“This should be something that’s centrally managed in order to allow an automated data erasure process.”
This involves different departments working together. “It’s something that should be integrated with the IT helpdesk - this will make it easier to automate the process,” she adds. Other experts argue this approach should go hand-in-hand with the business soliciting legal advice so to ensure the RTBF is applied correctly.
Routine privacy impact assessments
Under GDPR, it is advisable that privacy impact assessments (PIAs) are carried out, especially in instances where processing data could result in a higher risk to an individual’s rights and freedoms. This may be seen as another aspect of ‘tick-box’ compliance, but some argue that this represents a new business opportunity.
Dane Warren, head of IT security at the Intertek Group, says businesses should be carrying out privacy impact assessments to identify what data is being held where. He says there’s an advantage in doing this. “Organisations are doing data discovery and understanding their applications better.”
Companies aren’t left to their own devices though, explains IDC’s Brown. “There are tools that you can use for your PIAs. And there are guidelines from the International Association of Privacy Professionals, so it’s not pure guesswork.”
But, Brown stresses, this is not an area that should be neglected, as GDPR is not just about data breaches. “You can be non-compliant with GDPR and not suffer any breaches.” It’s important that the board takes PIAs seriously, making them a vital part of risk assessment. “The regulator will take a dim view, if they’re just five minute discussions at the tail-end of a board meeting,” he adds.
Mandatory data protection officers (DPOs)
One of the major changes proposed by the GDPR is new-found importance of the data protection officer (DPO). These will be mandatory for public sector.
But where are these people to come from? It’s fair to say that organisations aren’t falling over themselves to appoint people to this vital role; according to Micro Focus’ Kemp, there are still vacancies for 28,000 DPOs across the EU.
One of the difficulties is that there are few people who will meet all the demands. Kemp says that because few DPOs exist, there needs to be a training programme.
“Many will be found from internal audit,” he says, “as audit is already about enforcing rules. But I’m also seeing an increasing number of law firms ‘insourcing’ services so they’re supplying lawyers to customers to act as DPOs.”
Vieberink points out that law firms can also act as training organisations. “DPOs need knowledge of a little bit of everything so we offer courses with 30 different modules. These cover accountancy, auditing, legal and technical. She says that it’s not a position for new graduates.
“Typically, it’s for someone about 45 [years old] who’s looking for a career switch and sees DPO as a new opportunity.”
Data portability and deletion
This is a more contentious element of the regulation says IDC’s Brown. “Regulators haven’t really understood that technical complexities of this, because, from a technological point of view, there are some real challenges. “For example, he explains, if the data has been archived and there’s an outage, then there are difficulties in restoring from the archive.” He says that the needs to be processes in place to ensure that data that needs to be deleted, is still deleted.
But that’s not the only complexity. There’s another issue, however, says Brown around business understanding as to what constitutes personal data. “What exactly do we mean by data?” he asks. It’s a tough area to crack. “There’s half a page of regulation on this but to deliver it technically is difficult,” he says. This is one of the areas within GDPR where the theory and the reality may be different. “However,” says Brown, “there’s a competitive advantage in showing your acting within the bounds of the law.”